Why Is the Aramco Hack Considered a Significant NSA Milestone?

Screen Shot 2015-06-06 at 10.04.57 AMI’ve been puzzling over the list of “key SSO cyber milestone dates” released with the upstream 702 story the other day.

For the most part, it lists technical and legal milestones leading to expanded collection targeting cyber targets (which makes sense, given that’s what Special Source Operations does — collect data off switches). There’s the one redacted bullet (which, if it referred to an attack thwarted, might refer to this thwarted attack on a US defense contractor in December 2012).

But what is the August 2012 DDOS attack on Saudi Aramco doing on the list? And, for that matter, why is it referred to as a DDOS attack?

The attack was publicly described as a two-step hack targeted against both Aramco and Qatar’s gas industry which copy-catted an attack associated with the Flame attack on Iran. It is generally now described as Iranian retaliation for StuxNet. Though at the time, potential attribution ranged from hacktivists, a single hacker, or Aramco insiders. The Sony hack used tools related to the Shamoon attack.

Not long after the Aramco hack, the NSA expanded their Third Party SIGINT relationship to include the Saudi Interior Ministry (then led by close US ally Mohammed bin Nayef). The next month the Saudis (again, with MbN in the leader) prematurely renewed their Technical Cooperation Agreement with the US, adding a new cybersecurity component.

So regardless of how serious an attack it was (on that, too, accounts varied) it did have a significant effect on our role in cybersecurity in the Middle East, potentially with implications for SSO.

But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?


8 replies
  1. scribe says:

    But unless SSO thwarted the attack — or at least alerted the Saudis in time to pull their computers offline — why would that be a significant milestone for SSO?

    Because it got the Saudis to agree to expand their third-party SIGINT relationship to include the Saudi Interior Ministry, and to prematurely renew their Technical Cooperation Agreement with the US, adding a new cybersecurity component?

    Just speculating from not a lot of data, it would be worth looking into whether the Saudis had some upgrade to their telephone/internet structure coming up for contract in that timeframe. Recall that Huawei is both one of the largest competitors with US structure-providers. Recall also (from that 60 Minutes piece a year or so ago) that when some smaller US telecoms started considering buying equipment from Huawei, their executives get polite visits from gentlemen working for unnamed US government agencies “encouraging” them to Buy American.

    So if the Saudis – who the USG want to keep in “our corner”, lest their oil get overpriced, sold elsewhere, or priced in something other than dollars – were considering Buying Chinese and then changed their minds about it, it would stand to reason that getting them to sign on for more US support would be hailed as a major accomplishment. Similarly, if an analysis of the ARAMCO hack revealed it was built or done using code traceable to China, sharing that information with the Saudis would work toward effectuating the sale/sign-ups. This, because the sub rosa pitch “look at what they did – you can’t trust them but you can trust us” would then be available. It would likely have been made within Saudi circles, without the US having to open its mouth along those lines.

    But, like I said, that was a lot of speculating from not a lot of data.

  2. scribe says:

    What I really wanna know is, what is this “WealthyCluster” thing?
    Are they talking about a “target-rich environment”? Or are they targeting the wealthy, who tend to live in clusters?
    Inquiring minds want to know. And I’m sure the rich folks would, too.

    • Rayne says:

      If I were to guess, I’d say ‘target-rich environment’ versus wealthy individuals — the data capacity 622 mbps approximates that of an undersea cable between small countries in the mid-1990s.

      Given the year 2006 denoted, is this a reference to a pre-PRISM program under which AT&T’s Room 641A and other black rooms were constructed and brought on line?

      Or was it the physical program under which Sect. 215 data collection was implemented with the US PATRIOT Act in 2006?

  3. Rayne says:

    I’m sketched out about the ARAMCO hack as you are, for several reasons.

    — Lieberman (with assist from Collins, Rockefeller, and Feinstein) introduced the Cybersecurity Act of 2012 on 14-FEB-2012. Guess when Lieberman really went to town crying about cyber attacks and the need for this bill? Within the month after initial reports of cyber attacks on ARAMCO. At that time—only weeks before the general election—Lieberman was crying loudly about attacks on banking interests by Iran. Funny thing, though, about cyber security firms in late summer-early autumn 2012:

    …Take a gander through Kaspersky or Langner websites and look for panicked reports of DDoS assaults on banking–you won’t find them. RSA’s blog never mentions Iran last year at all; F-Secure makes an oblique comment about nation-state cyberwarfare, implicitly critical of U.S. with regard to its deployment of cyberweapons. Kaspersky mentions Iran exactly once, in relation to the “Ma(h)di incident” last year, and not at all in a forecast of 2013. Langner mentions the difficulty of providing adequate cybersecurity, noting Secretary of Defense Leon Panetta’s October 11 speech–again, no reference to Iran.*

    Why were banks used to make the case for Cybersecurity Act of 2012 then, and not the attack on ARAMCO? (The act never was signed into law that year, btw; the attack on ARAMCO is used as a supportive footnote when the bill was resubmitted in 2013.)

    — Leon Panetta offers two grafs (~130 words) about the attack on ARAMCO and Qatar in his speech 11-OCT-2012. Coincidentally, President Obama signs a classified Presidential Policy Directive PPD_20 on 16-OCT-2012, only five days later, two-and-a-half weeks before the election. (Panetta mentions Iran exactly once in this speech, and not in direct relation to the attacks on ARAMCO/Qatar.)

    — Hackmageddon, a website documenting cyber attacks, posted links to early reports about the ARAMCO attack. But the early reports are thin on information, and sourcing is weak. Later reports from cyber security firms focus on the code, but not the tick-tock of Shamoon’s infection. Why?

    Note in a Kaspersky Securelist blog post this immaculate hand-off : “Earlier today, we received an interesting collection of samples from colleagues at another anti-malware company.” (Shamoon the Wiper–Copycats at Work, 16-AUG-2012) No attribution whatsoever. Kaspersky’s team says this looks a LOT like an attack on Iranian interests from April 2012; who was responsible for that attack?

    — Note the history of oil prices that year. How is it that ARAMCO could lose 40K PCs and 2000 servers, and there’s ZERO impact on market price of oil? Not to mention the loss of PCs and servers in Qatar’s oil industry as well.

    This all looked iffy then; Lieberman in particular appeared to spout handy FUD to get the Cybersecurity Act passed before the election. Three years later, none of this seems any more rational now.
    (* Clarification: Langner made no reference to Iran.)

      • Rayne says:

        Maybe, maybe not…Heck, I don’t know that we didn’t do this, whatever this is. ARAMCO’s network appears to be out for two weeks and there’s virtually no reporting on the impact of the attack apart from the buzz generated by cybersecurity firms picking apart the code, and government officials who also want more powers.

        Which makes me wonder: If a malware-bear shits in the globalized network-forest, and there’s no real smell, did it really happen?

        • orionATL says:

          very interesting blend of technical and historical reporting. that can’t be all that easy to do.


          • Rayne says:

            Thanks. As you well know, these nation-state cyber attacks don’t happen in a vacuum – there’s always something happening off-network driving the attack, or happening as fallout. The Lieberman FUD in 2012 was epic, really bugged the crap out of me then. It was hard to tell how much of his whining was his swan song to the Senate, and/or a last debt paid to [insert likely supporter]. The farther back we step, the more we see. Was Lieberman drawing attention TOWARD the bank attacks, and AWAY from Shamoon? Hmm.

Comments are closed.